OWASP / owasp-java-encoder

The OWASP Java Encoder is a Java 1.5+ simple-to-use drop-in high-performance encoder class with no dependencies and little baggage. This project will help Java web developers defend against Cross Site Scripting!
https://owasp.org/www-project-java-encoder/
BSD 3-Clause "New" or "Revised" License
493 stars 111 forks source link

Grave accent issue #33

Closed fraenku closed 4 years ago

fraenku commented 5 years ago

In regards to the issue with the grave accent issue described here https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Grave_Accent_Issue I found out that ESAPI.encoder.encodeForHTMLAttribute() is converting the ` in its hexadecimal-form:

` Why owasp-java-encoder is not doing the same? Wouldn't this prevent the possible xss-attack in IE?

jmanico commented 5 years ago

Our solution in the cited doc does not require a change in the encoder. We aim to encode •minimally• and the grave accent encoding is not at all necessary if your UI is coded correctly.

The ESAPI encoder chooses to encode very aggressively in situations that are not necessary. No one has ever reported a bypass against the encoder when used properly as documented.

Respectfully,

Jim Manico @Manicode

On Jun 19, 2019, at 8:28 AM, fraenku notifications@github.com wrote:

In regards to the issue with the grave accent issue described here https://www.owasp.org/index.php/OWASP_Java_Encoder_Project#tab=Grave_Accent_Issue I found out that ESAPI.encoder.encodeForHTMLAttribute() is converting the ` in its hexadecimal-form:

` Why owasp-java-encoder is not doing the same? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

fraenku commented 5 years ago

Thanks for the quick answer, I understand the point :-)

What is your opinon in regards to the widely used -tag included in JSTL?

Is it save enough since it does not offer any context-sensitive encoding? At least according to https://www.cvedetails.com/product/31268/Apache-Standard-Taglibs.html?vendor_id=45 no issue has been reported so far (which surprises me...)

jmanico commented 5 years ago

It’s safe for HTML body locations, but not for CSS or JavaScript code locations...

-- Jim Manico @Manicode Secure Coding Education +1 (808) 652-3805

On Jun 19, 2019, at 11:30 PM, fraenku notifications@github.com wrote:

Thanks for the quick answer, I understand the point :-)

What is your opinon in regards to the widely used -tag included in JSTL?

Is it save enough since it does not offer any context-sensitive encoding?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub, or mute the thread.